Performing code analysis and security scans on your code is imperative to software craftsmanship. Over the years, I have had plenty of options for performing security scans, both with third-party vendors and open-source tools. I want to highlight some of my favorite GitHub Actions to run code analysis with a Security-focus in this post. Before diving into some of my favorites on GitHub, here are some recent posts related to code analysis and security that I published. Perhaps they can be insightful, too: Use the Microsoft Application Inspector to analyze your source codeWebsite security scanning with GitHub Actions and OWASP…
Use the Microsoft Application Inspector to learn more about your code. Discover what types of algorithms, APIs, sensitive data and more that you make use of in the code base.
There are numerous ways to secure and audit your Azure Key Vault setup and usage. In 2019, I wrote Who accessed my Azure Key Vault?, which is still relevant. In this article, I want to talk about how to set up automatic notifications when something change related to your secrets. Events in Key VaultsBefore we drill into the steps to get this done, I want to talk about events in general, and things we might want to think about before we dive in. What events can we subscribe to? The Azure Key Vault uses EventGrid for events. The currently supported…
Security is a topic that should be on top of everyone's mind. Particularly security in software is vital, given the enormous growth in threats targeting online resources. I previously wrote about other developer-oriented security aspects that you might find interesting: Embrace a Security Development Lifecycle (SDL) for AzureAutomate Azure DevOps code security analysis with MSCAToday I want to highlight another approach: vulnerability checks on systems running in the cloud or on your servers. That is, not during development, but in the system where they are operating. In this post, I'm discussing how we can do this using GitHub Actions and…
Relying on Application Insights to provide great data has always been a core component of anything I create. Recently, I upgraded my projects to .NET Core 3.1, and in few cases I also upgraded to .NET 5 (Preview). A lot of my code is executed in containers, or other background processes that may not have a native Application Insight integration. With the upgrade to .NET Core 3.1, we noticed after a while that no logs were persisted to the cloud anymore. I could see telemetry being created when debugging, and from that perspective all the unit tests were…
Do you also feel that there is an exponential growth of resources in your cloud environments? In my job, I have had to plan, design, architect, and develop solutions for the cloud ecosystem. When it is time to operate and maintain them, it gets a bit trickier if you have many departments. Demands will vary by department, and requirements on the technology you use might look different in other parts of the organization. A key thing I've learned over the years is that you need a proper governance plan. It would help if you allowed the business to thrive. Operations…
In Azure Security Center you get a lot of built-in recommendations based on various compliance- and security controls. These are based on industry standards and include things like Azure CIS, PCI DSS, SOC TSP, ISO 27001, and more. However, many organizations have different requirements than the defaults, and sometimes want to introduce additional or modified checks. With Azure Security Center we get the capability to use custom recommendations together with Azure Policy, where we now can define our corporate policies and roll them out as recommendations in ASC. A great way to tailor the experience according to our use cases.…
"This feature is currently in preview. Previews are made available to you on the condition that you agree to the supplemental terms of use. Some aspects of this feature may change prior to general availability (GA). Currently, managed identities on Azure Container Instances, are only supported with Linux containers and not yet with Windows containers." - Microsoft DocsPreviously I wrote about a post explaining how to programmatically create new Azure Container Instances (ACI) that are connected to a specific Virtual Network, allowing communication with services and data that resides inside that network. In this post I'm sharing a brief additional…